Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passwords: Too Much and Not Enough

Posted by Soulskill on from the 123456-trustno1-hunter2-letmein dept.

An anonymous reader writes: Sophos has a blog post up saying, "attempts to get users to choose passwords that will resist offline guessing, e.g., by composition policies, advice and strength meters, must largely be judged failures." They say a password must withstand 1,000,000 guesses to survive an online attack but 100,000,000,000,000 to have any hope against an offline one. "Not only is the difference between those two numbers mind-bogglingly large, there is no middle ground." "Passwords falling between the two thresholds offer no improvement in real-world security, they're just harder to remember." System administrators "should stop worrying about getting users to create strong passwords and should focus instead on properly securing password databases and detecting leaks when they happen."

1 of 223 comments (clear)

  1. Perhaps we should ask resident expert by Anonymous Coward · · Score: 0, Funny

    Bennett Haselton? I'm sure he has an opinion on how we can solve this problem, now that he's solved the world's ice selling problems.